glimpze Skrevet 15. september 2008 Del Skrevet 15. september 2008 (endret) Hei! I sommer da jeg skulle laste ned patch til et spill fikk jeg virus. I alle fall sa norton 2006 klart i fra om at noe var galt med en gang jeg åpnet filen som da skulle vært patchen. Jeg hadde da både avg og norton 2006 innstalert og aldri hatt problemer med virus før. Det dette gjorde var å ta over admin-rettighetene på maskinen. Bla forsvant control panel fra start menyen og prøvde/prøver jeg å gå inn på control panel eller f.eks klokka nede i høyre hjørnet får jeg bare "the operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator". Viruset gjorde også slik at avg sluttet å virke og norton plutselig manglet mange filer for å fungere skikkelig. Det går heller ikke an å legge inn avg, da det ikke får registrert seg i registeret. Har likevel prøvd å legge inn nytt avg og norton på nytt, uten at de klarer å scanne registeret og/eller fjerne alle virusene. Eset NOD32 fant 180 threats bare på 25GB windows partisjonen og klarte å fjerne alle utenom ett. Likevel fungerer ingenting. Norton popper hele tiden opp og sier at infostealer.gamepass og trojan vundu og trojan horse kødder til maskinen min. I firefox popper det hele tiden opp nye vindu med iq-tester og reklame. Problemet er bare at jeg ikke vil formatere, da jeg har flere terra med viktige programmer og spill. Selv om windows partisjonen bare er på 25gb vil jeg nødig legge inn og ordne til alt på nytt av spill og progs. Kan noen hjelpe meg? Har noen opplevd å bli degradert i systemet på sin egen pc og/eller at control panel er borte fra start-meny? Er det noen virusprogrammer e.l. jeg bør/kan kjøre som kanskje vil ta knekken på driten på dataen min? På forhånd takk! Endret 23. september 2008 av glimpze Lenke til kommentar
Stifi Skrevet 15. september 2008 Del Skrevet 15. september 2008 (endret) Ta en hijackthis test. https://www.diskusjon.no/index.php?showtopic=575063 http://www.hijackthis.de/ Endret 15. september 2008 av Stifi Lenke til kommentar
norbat Skrevet 16. september 2008 Del Skrevet 16. september 2008 Evt. følge veiledningen. Loggene det spørres etter poster du her i din egen tråd. Lenke til kommentar
glimpze Skrevet 21. september 2008 Forfatter Del Skrevet 21. september 2008 (endret) Har nå fulgt veiledningen din norbat og etter scanningene finnes control panel atter en gang i start-menyen og jeg har admin rettigheter som å stille klokka igjen :-) Her kommer loggene, håper på hjelp til å analysere dem: MBAM: Klikk for å se/fjerne innholdet nedenfor <Malwarebytes' Anti-Malware 1.28Database versjon: 1188 Windows 5.1.2600 Service Pack 2 22.09.2008 00:13:32 mbam-log-2008-09-22 (00-13-32).txt Skanntype: Rask Skann Objekter skannet: 42381 Tid tilbakelagt: 3 minute(s), 55 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 20 Registerverdier infisert: 5 Registerfiler infisert: 3 Mapper infisert: 7 Filer infisert: 80 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e89e6ed3-fe6a-4f2e-a822-2f5d70d42506} (Trojan.BHO.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{e89e6ed3-fe6a-4f2e-a822-2f5d70d42506} (Trojan.BHO.H) -> Delete on reboot. HKEY_CLASSES_ROOT\Interface\{a3b4ff8a-d3e7-4692-a9b6-971f62802310} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{2b7763c3-642b-4934-902c-72a63a95127a} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ultra soft (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\cj.cjmgr (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MyGlobalSearch (Adware.BookedSpace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm5b086e79 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot. Registerfiler infisert: HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run (Trojan.Downloader) -> Data: j:\windows\system32\winupdate.exe -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run (Trojan.Downloader) -> Data: system32\winupdate.exe -> Quarantined and deleted successfully. Mapper infisert: J:\Program Files\MyGlobalSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. J:\Program Files\MyGlobalSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully. J:\Program Files\MyGlobalSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully. J:\Program Files\MyGlobalSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully. J:\Documents and Settings\Administrator\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully. J:\Program Files\IE Extensions (Trojan.BHO) -> Quarantined and deleted successfully. J:\Program Files\cjb (Trojan.Agent) -> Quarantined and deleted successfully. Filer infisert: J:\WINDOWS\system32\dffsnfij.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\jifnsffd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\ilereynx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\xnyereli.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\incorqgd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\dgqrocni.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\othaugvy.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\ubaitveh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\hevtiabu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\uhntbhhj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\jhhbtnhu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\xtdgswma.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\WINDOWS\system32\amwsgdtx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. J:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q5ULUJ6X\silent.dll[2].bak (Trojan.BHO.H) -> Delete on reboot. J:\Program Files\IE Extensions\cj.v5.dll (Trojan.BHO) -> Quarantined and deleted successfully. J:\WINDOWS\system32\ghxbhcon.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\kdvpjkvr.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\mlqottko.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\qfypvjde.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\vqrsnvsw.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\bkpkltjj.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\dngnvsoo.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\dqustmfa.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\llyruwbi.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\tgeyxswv.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\jledpqwf.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\jtpbtrnw.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\micvwh.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\lgedwvje.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\lpsvotkj.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\ijopuqna.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\hcklckym.dll (Trojan.Vundo) -> Quarantined and deleted successfully. J:\Program Files\MyGlobalSearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully. J:\Documents and Settings\Administrator\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully. J:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully. J:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully. J:\Program Files\xloader30029.exe (Trojan.Agent) -> Quarantined and deleted successfully. J:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully. J:\Program Files\tmp12130671.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp161875.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp162453.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp162468.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp166390.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp167234.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp170671.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp181859.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp183328.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp183343.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp1988609.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp1988625.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20542093.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20555828.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20561531.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20565250.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20565500.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20576312.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20576531.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20580812.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20580875.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20581343.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20583406.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20584500.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20596218.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20597093.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20597296.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20597890.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20601968.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20613734.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20614875.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp20617625.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp6695015.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\Program Files\tmp6739921.exe (Trojan.Alphabet) -> Quarantined and deleted successfully. J:\WINDOWS\inf\ultra.inf (Malware.Trace) -> Quarantined and deleted successfully. J:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully. J:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\BM5b086e79.xml (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\BM5b086e79.txt (Trojan.Vundo) -> Quarantined and deleted successfully. J:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully. J:\Program Files\ucleaner_setup.exe (Rogue.Installer) -> Quarantined and deleted successfully. J:\WINDOWS\system32\oqtss.ini (Malware.Trace) -> Quarantined and deleted successfully.> Combofix: Klikk for å se/fjerne innholdet nedenfor <ComboFix 08-09-20.05 - Administrator 2008-09-22 0:24:24.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1613 [GMT 2:00] Running from: J:\Documents and Settings\Administrator\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . J:\WINDOWS\system32\adaxscou.ini J:\WINDOWS\system32\bgecrxur.ini J:\WINDOWS\system32\dfohhrhg.ini J:\WINDOWS\system32\drivers\mfwljkqo.dat J:\WINDOWS\system32\jfnswyyj.ini J:\WINDOWS\system32\kbbxwecy.ini J:\WINDOWS\system32\kkvjgnsr.ini J:\WINDOWS\system32\puicukgi.ini J:\WINDOWS\system32\raqhriqr.ini J:\WINDOWS\system32\tmrnbuie.ini U:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_INXBVJFA -------\Service_inxbvjfa ((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 ))))))))))))))))))))))))))))))) . 2008-09-22 00:35 . 2008-09-22 00:35 <DIR> d-------- J:\WINDOWS\LastGood 2008-09-21 23:45 . 2008-09-21 23:45 <DIR> d-------- J:\Program Files\Malwarebytes' Anti-Malware 2008-09-21 23:45 . 2008-09-21 23:45 <DIR> d-------- J:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-21 23:45 . 2008-09-21 23:45 <DIR> d-------- J:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-09-21 23:45 . 2008-09-10 00:04 38,528 --a------ J:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-21 23:45 . 2008-09-10 00:03 17,200 --a------ J:\WINDOWS\system32\drivers\mbam.sys 2008-09-15 00:46 . 2008-09-15 00:46 345 --ahs---- J:\WINDOWS\system32\jjjlm.ini2 2008-09-15 00:22 . 2008-09-15 00:22 <DIR> d-------- J:\Documents and Settings\All Users\Application Data\ESET 2008-09-14 11:46 . 2008-09-15 00:39 3,594 ---hs---- J:\WINDOWS\system32\ugllnrob.ini 2008-09-13 11:25 . 2008-09-13 11:25 5,120 --a------ J:\WINDOWS\system32\drivers\wxmaycbn.dat 2008-09-13 06:34 . 2008-09-14 11:45 3,174 ---hs---- J:\WINDOWS\system32\cbnqwbap.ini 2008-09-13 05:21 . 2008-09-13 06:31 2,874 ---hs---- J:\WINDOWS\system32\rfvahswv.ini 2008-09-09 21:08 . 2008-09-11 20:18 2,274 ---hs---- J:\WINDOWS\system32\sgdtkdsi.ini 2008-09-06 20:56 . 2008-09-09 21:05 1,914 ---hs---- J:\WINDOWS\system32\oxjmxidm.ini 2008-09-06 20:40 . 2008-09-06 20:53 1,734 ---hs---- J:\WINDOWS\system32\ssndrmeg.ini 2008-09-06 17:48 . 2008-09-06 17:55 <DIR> d-------- J:\Documents and Settings\All Users\Application Data\TrackMania 2008-09-03 21:16 . 2008-09-04 01:20 594 ---hs---- J:\WINDOWS\system32\ogujxwgb.ini 2008-08-29 01:24 . 2008-08-29 01:24 54,156 --ah----- J:\WINDOWS\QTFont.qfn 2008-08-29 01:24 . 2008-08-29 01:24 1,409 --a------ J:\WINDOWS\QTFont.for 2008-08-28 00:19 . 2008-08-29 02:15 894 ---hs---- J:\WINDOWS\system32\sdvbortn.ini 2008-08-27 22:03 . 2008-08-28 00:16 414 ---hs---- J:\WINDOWS\system32\syrpagqc.ini 2008-08-26 20:36 . 2008-08-27 22:01 2,094 ---hs---- J:\WINDOWS\system32\pcrmwchh.ini 2008-08-26 01:17 . 2008-08-26 20:36 1,614 ---hs---- J:\WINDOWS\system32\blhsqygd.ini 2008-08-25 21:55 . 2008-08-26 01:16 1,314 ---hs---- J:\WINDOWS\system32\hlpossno.ini 2008-08-24 21:31 . 2008-08-25 21:47 1,134 ---hs---- J:\WINDOWS\system32\tveysnxi.ini 2008-08-24 17:15 . 2008-08-24 21:28 534 ---hs---- J:\WINDOWS\system32\uwnjrntw.ini 2008-08-23 17:17 . 2008-08-24 16:42 354 ---hs---- J:\WINDOWS\system32\otmpimul.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-21 21:44 --------- d-----w J:\Program Files\CCleaner 2008-09-15 22:33 --------- d-----w J:\Documents and Settings\All Users\Application Data\avg7 2008-09-15 07:42 --------- d-----w J:\Program Files\DAEMON Tools 2008-09-15 06:00 --------- d-----w J:\Documents and Settings\LocalService\Application Data\AVG7 2008-09-14 22:21 --------- d-----w J:\Program Files\audiograbber 2008-09-06 15:41 --------- d-----w J:\Program Files\mIRC 2008-09-03 22:36 --------- d-----w J:\Program Files\Winamp 2008-08-29 00:12 --------- d-----w J:\Program Files\DC++ 2008-08-28 17:34 --------- d-----w J:\Documents and Settings\Administrator\Application Data\AVG7 2008-08-27 23:12 --------- d-----w J:\Documents and Settings\Administrator\Application Data\uTorrent 2008-08-04 13:46 --------- d-----w J:\Program Files\Mozilla Thunderbird 2008-02-25 08:10 318 --sha-w J:\WINDOWS\system32\kjllm.ini2 2008-02-25 12:21 700 --sha-w J:\WINDOWS\system32\oqtss.ini2 2008-03-17 18:15 83,349 --sha-w J:\WINDOWS\system32\orutv.ini2 . ------- Sigcheck ------- 2004-08-03 21:56 14336 8f078ae4ed187aaabc0a305146de6716 J:\WINDOWS\system32\svchost.exe 2005-10-13 18:06 577024 1800f293bccc8ede8a70e12b88d80036 J:\WINDOWS\$NtUninstallKB925902$\user32.dll 2007-03-08 17:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b J:\WINDOWS\system32\user32.dll 2007-03-08 17:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b J:\WINDOWS\system32\dllcache\user32.dll 2004-08-03 21:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 J:\WINDOWS\system32\ws2_32.dll 2005-10-14 13:47 360448 b51b0046d15982530af09f3d01ff48ab J:\WINDOWS\$NtUninstallKB913446$\tcpip.sys 2006-01-13 19:07 360448 5562cc0a47b2aef06d3417b733f3c195 J:\WINDOWS\$NtUninstallKB917953$\tcpip.sys 2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 J:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 J:\WINDOWS\system32\dllcache\tcpip.sys 2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 J:\WINDOWS\system32\drivers\tcpip.sys 2004-08-03 21:56 502272 01c3346c241652f43aed8e2149881bfe J:\WINDOWS\system32\winlogon.exe 2004-08-03 20:14 182912 558635d3af1c7546d26067d5d9b6959e J:\WINDOWS\system32\drivers\ndis.sys 2004-08-03 20:00 29056 4448006b6bc60e6c027932cfc38d6855 J:\WINDOWS\system32\drivers\ip6fw.sys 2005-11-28 13:10 2015744 48472d224e1703882b4de0e28e205e9b J:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe 2006-12-19 18:12 2017280 fa64f313f5237c53a909906113acae7d J:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe 2007-02-28 11:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba J:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe 2007-02-28 11:15 2017280 2dfb215e291e3d9b1cf9a6739b3bf16c J:\WINDOWS\system32\ntkrnlpa.exe 2007-02-28 11:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba J:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2005-10-14 14:49 2136064 25c36dbc46e8eff2a811769a60715ac5 J:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe 2006-12-19 18:49 2137600 57b9d140e1eb8b0ea06df927b63b0eee J:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe 2007-02-28 11:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 J:\WINDOWS\Driver Cache\i386\ntoskrnl.exe 2007-02-28 11:53 2137600 e6679c3023b17d8b78946bc5df53fa20 J:\WINDOWS\system32\ntoskrnl.exe 2007-02-28 11:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 J:\WINDOWS\system32\dllcache\ntoskrnl.exe 2007-06-13 13:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 J:\WINDOWS\explorer.exe 2005-10-15 05:37 1032192 45757077a47c68a603a79b03a1a836ab J:\WINDOWS\$NtUninstallKB938828$\explorer.exe 2007-06-13 13:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 J:\WINDOWS\system32\dllcache\explorer.exe 2004-08-03 21:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 J:\WINDOWS\system32\services.exe 2004-08-03 21:56 13312 84885f9b82f4d55c6146ebf6065d75d2 J:\WINDOWS\system32\lsass.exe 2004-08-03 21:56 15360 24232996a38c0b0cf151c2140ae29fc8 J:\WINDOWS\system32\ctfmon.exe 2005-10-13 18:06 57856 ad3d9d191aea7b5445fe1d82ffbb4788 J:\WINDOWS\system32\spoolsv.exe 2004-08-03 21:56 24576 39b1ffb03c2296323832acbae50d2aff J:\WINDOWS\system32\userinit.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="J:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360] "TaskSwitchXP"="J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="J:\WINDOWS\system32\NvCpl.dll" [2005-10-10 7286784] "NvMediaCenter"="J:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 86016] "WinampAgent"="J:\Program Files\Winamp\winampa.exe" [2005-12-09 35328] "snpstd"="J:\WINDOWS\vsnpstd.exe" [2003-12-31 40960] "RemoteControl"="J:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "ccApp"="J:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 52840] "NeroFilterCheck"="J:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "PinnacleDriverCheck"="J:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 406016] "KillCopy"="J:\Program Files\KillSoft\KillCopy\kcresume.exe" [2006-08-07 295424] "QuickTime Task"="J:\Program Files\QuickTime\qttask.exe" [2006-10-17 98304] "DAEMON Tools"="J:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592] "NVIDIA nTune"="J:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2006-10-31 81920] "amd_dc_opt"="J:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824] "Symantec PIF AlertEng"="J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 J:\WINDOWS\SOUNDMAN.EXE] "nwiz"="nwiz.exe" [2005-10-10 J:\WINDOWS\system32\nwiz.exe] "Resume copy"="copyfstq.exe" [2002-03-24 J:\WINDOWS\COPYFSTQ.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="J:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 15360] "TaskSwitchXP"="J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nlsf"="move" [X] "nlhr"="J:\WINDOWS\System32\AdvPack.Dll" [2007-08-13 123904] "tscuninstall"="J:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 44544] J:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Adobe Gamma.lnk - J:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] PowerReg Scheduler V3.exe [2006-07-21 225280] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoDesktopCleanupWizard"= 1 (0x1) "ForceClassicControlPanel"= 1 (0x1) "MemCheckBoxInRunDlg"= 1 (0x1) "DisableCAD"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoInstrumentation"= 1 (0x1) "NoSMHelp"= 1 (0x1) "DisableCAD"= 0 (0x0) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoInstrumentation"= 1 (0x1) "NoSMHelp"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=tqoghn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.DIV3"= J:\PROGRA~1\K-LITE~1\codecs\DivXc32.dll "VIDC.DIV4"= J:\PROGRA~1\K-LITE~1\codecs\DivXc32f.dll "VIDC.3iv2"= J:\PROGRA~1\K-LITE~1\codecs\3IVXVF~1.DLL "VIDC.HFYU"= J:\PROGRA~1\K-LITE~1\codecs\huffyuv.dll "vidc.i263"= i263_32.drv "VIDC.VP70"= J:\PROGRA~1\K-LITE~1\codecs\vp7vfw.dll "VIDC.VP31"= J:\PROGRA~1\K-LITE~1\codecs\vp31vfw.dll "VIDC.MP43"= J:\PROGRA~1\K-LITE~1\codecs\Mpg4c32.dll "VIDC.FFDS"= J:\PROGRA~1\K-LITE~1\ffdshow\ff_vfw.dll "msacm.ac3acm"= J:\PROGRA~1\K-LITE~1\codecs\ac3acm.acm "msacm.lameacm"= J:\PROGRA~1\K-LITE~1\codecs\lameACM.acm "msacm.l3fhg"= J:\PROGRA~1\K-LITE~1\codecs\l3codecp.acm "msacm.divxa32"= J:\PROGRA~1\K-LITE~1\codecs\divxa32.acm "msacm.imc"= imc32.acm "VIDC.MJPG"= Pvmjpg30.dll "VIDC.PIM1"= pclepim1.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "K:\\Spill\\Battlefield 2\\BF2.exe"= "J:\\Program Files\\BitComet\\BitComet.exe"= "J:\\Program Files\\LimeWire\\LimeWire.exe"= "J:\\Program Files\\Valve\\hl.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\counter-strike\\hl.exe"= "J:\\Program Files\\mIRC\\mirc.exe"= "J:\\Program Files\\DC++\\DCPlusPlus.exe"= "J:\\Program Files\\Azureus\\Azureus.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\half-life 2 deathmatch\\hl2.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\counter-strike source\\hl2.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\half-life\\hl.exe"= "K:\\Spill\\Need For Speed Most Wanted\\speed.exe"= "C:\\Innstallere\\aoe2 on 85.19.151.132\\age2_x1.exe"= "\\\\prestjord\\aoe2 on 85.19.151.132\\age2_x1.exe"= "J:\\WINDOWS\\system32\\dplaysvr.exe"= "K:\\Spill\\Call Of Duty 2\\CoD2MP_s.exe"= "J:\\WINDOWS\\system32\\dpvsetup.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\team fortress classic\\hl.exe"= "E:\\FRA 80 GB\\Spill\\-=Red Alert 2=-\\GAME.EXE"= "J:\\Program Files\\FlashFXP\\flashfxp.exe"= "C:\\Spill\\Quake 4\\Quake4.exe"= "C:\\Spill\\TrackMania Nations ESWC\\TmNationsESWC.exe"= "J:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"= "J:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"= "J:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"= "J:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"= "J:\\WINDOWS\\system32\\dxdiag.exe"= "J:\\WINDOWS\\system32\\dpnsvr.exe"= "Q:\\Spill\\cs 1.6\\hl.exe"= "Q:\\Spill\\Generals\\game.dat"= "Q:\\Spill\\Generals Zero Hour\\game.dat"= "K:\\Spill\\Age Of Empires 3\\age3.exe"= "Q:\\Spill\\Colin McRae 04\\cmr4.exe"= "C:0\\Spill\\The Lord Of The Rings - The Battle For Middle Earth 2\\game.dat"= "C:4\\Spill\\MotoGP2\\motogp2.exe"= "C:\\Spill\\cs 1.6\\hl.exe"= "C:0\\Spill\\Act Of War\\ACTOFWAR.EXE"= "C:0\\Spill\\The First Decade\\Command & Conquer Generals Zero Hour\\generals.exe"= "J:\\Program Files\\uTorrent\\utorrent.exe"= "C:0\\Spill\\Serious Sam - The Second Encounter\\Bin\\SeriousSam.exe"= "C:0\\Spill\\Worms Forts Under Siege\\WF.exe"= "E:\\FRA 80 GB\\Spill\\Unreal Tournament\\System\\UnrealTournament.exe"= "J:\\Program Files\\WebEye\\WebEye.exe"= "C:0\\Spill\\Worms 2\\frontend.exe"= "C:0\\Spill\\Worms_2\\worms2.exe"= "\\\\paul\\Upload\\worms2.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\garrysmod\\hl2.exe"= "J:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:0\\Spill\\Outrun 2006 - Coast To Coast\\OR2006C2C.EXE"= "J:\\Program Files\\Skype\\Phone\\Skype.exe"= "J:\\Program Files\\Hamachi\\hamachi.exe"= "J:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "J:\\Program Files\\MSN Messenger\\livecall.exe"= "C:7\\Spill\\Company Of Heroes - Opposing Force\\RelicCOH.exe"= "C:7\\Spill\\ISO\\FlatOut2 på bernt\\FlatOut2.exe"= "R:\\Spill\\C&C3 Tiberium Wars\\RetailExe\\1.0\\cnc3game.dat"= "C:6\\Spill\\Company Of Heroes\\RelicCOH.exe"= "C:6\\Spill\\FlatOut2\\FlatOut2.exe"= "C:0\\Spill\\TmNationsForever\\TmForever.exe"= "C:0\\Spill\\TmUnitedForever\\TmForever.exe"= R0 Pnp680;SiI 680 ATA Controller;J:\WINDOWS\system32\DRIVERS\pnp680.sys [2002-03-15 37031] R0 WDMCAPI;ISDN PCI CAPI;J:\WINDOWS\system32\DRIVERS\WDMCAPI.sys [2002-04-24 612669] R2 UxTuneUp;TuneUp Design Expansion;J:\WINDOWS\System32\svchost.exe [2004-08-03 14336] R3 WDMWANMP;NDIS WAN miniport;J:\WINDOWS\system32\DRIVERS\wdmwanmp.sys [2002-03-26 26067] S1 SysTool;SysTool Overclocking Utility;J:\WINDOWS\system32\DRIVERS\SysTool.sys [2005-09-26 24064] S3 RivaTunerEx;RivaTunerEx;L:\Program Filer\Riva Tuner\RivaTunerEx.sys [2004-10-04 2560] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\autorun.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P] \Shell\AutoRun\command - P:\Launch.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebe9a054-6b1d-11da-98d7-806d6172696f}] \Shell\AutoRun\command - G:\POV.exe . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - BHO-{030240BC-71F3-47F4-9ABD-BC2F4AADE783} - (no file) BHO-{040C4F7C-6248-4D45-A893-3AEF4DE3320b} - (no file) BHO-{30240BC9-71F3-47F4-9ABD-BC2F4AADE783} - (no file) BHO-{7e7b7e1f-cebb-4519-8d1a-8cb1173634f3} - (no file) BHO-{A3A0458B-6004-457A-B913-ACC035F77547} - (no file) BHO-{E89E6ED3-FE6A-4F2E-A822-2F5D70D42506} - J:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q5ULUJ6X\silent.dll[2].bak HKU-Default-Run-Free Download Manager - J:\Program Files\Free Download Manager\fdm.exe . ------- File Associations ------- . inffile=J:\WINDOWS\system32\NOTEPAD2.EXE %1 inifile=J:\WINDOWS\system32\NOTEPAD2.EXE %1 txtfile=J:\WINDOWS\system32\NOTEPAD2.EXE %1 . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-22 00:35:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... J:\WINDOWS\LastGood scan completed successfully hidden files: 1 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Data] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Networking] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for Oracle] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for SqlServer] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NETFramework] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\61883] "ImagePath"="system32\DRIVERS\61883.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI] "ImagePath"="system32\DRIVERS\ACPI.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Adobe LM Service] "ImagePath"="\"J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec] "ImagePath"="system32\drivers\aec.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD] "ImagePath"="\SystemRoot\System32\drivers\afd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALCXWDM] "ImagePath"="system32\drivers\ALCXWDM.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter] "ServiceDll"="%SystemRoot%\system32\alrsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG] "ImagePath"="%SystemRoot%\System32\alg.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AmdK8] "ImagePath"="system32\DRIVERS\AmdK8.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AmdLLD] "ImagePath"="system32\DRIVERS\AmdLLD.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt] "ServiceDll"="%SystemRoot%\System32\appmgmts.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Arp1394] "ImagePath"="system32\DRIVERS\arp1394.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASAPIW2K] "ImagePath"="\??\J:\WINDOWS\system32\Drivers\asapiW2k.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state] "ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac] "ImagePath"="system32\DRIVERS\asyncmac.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi] "ImagePath"="system32\DRIVERS\atapi.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc] "ImagePath"="system32\DRIVERS\atmarpc.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv] "ServiceDll"="%SystemRoot%\System32\audiosrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub] "ImagePath"="system32\DRIVERS\audstub.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Automatic LiveUpdate Scheduler] "ImagePath"="\"J:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avc] "ImagePath"="system32\DRIVERS\avc.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC] "MofImagePath"="System32\Drivers\battc.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS] "ServiceDll"="%systemroot%\system32\qmgr.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser] "ServiceDll"="%SystemRoot%\System32\browser.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme] "ImagePath"="\??\J:\ComboFix\catchme.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCDECODE] "ImagePath"="system32\DRIVERS\CCDECODE.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr] "ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccSetMgr] "ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom] "ImagePath"="system32\DRIVERS\cdrom.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc] "ImagePath"="%SystemRoot%\system32\cisvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv] "ImagePath"="%SystemRoot%\system32\clipsrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32] "ImagePath"="J:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp] "ImagePath"="J:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc] "ServiceDll"="%SystemRoot%\System32\cryptsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch] "ServiceDll"="%SystemRoot%\system32\rpcss.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp] "ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk] "ImagePath"="system32\DRIVERS\disk.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin] "ImagePath"="%SystemRoot%\System32\dmadmin.exe /com" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot] "ImagePath"="System32\drivers\dmboot.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio] "ImagePath"="System32\drivers\dmio.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload] "ImagePath"="System32\drivers\dmload.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver] "ServiceDll"="%SystemRoot%\System32\dmserver.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic] "ImagePath"="system32\drivers\DMusic.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache] "ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud] "ImagePath"="system32\drivers\drmkaud.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eeCtrl] "ImagePath"="\??\J:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ENTECH] "ImagePath"="\??\J:\WINDOWS\system32\DRIVERS\ENTECH.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EraserUtilRebootDrv] "ImagePath"="\??\J:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc] "ServiceDll"="%SystemRoot%\System32\ersvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog] "ImagePath"="%SystemRoot%\system32\services.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem] "ServiceDll"="J:\WINDOWS\system32\es.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility] "ServiceDll"="%SystemRoot%\System32\shsvcs.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc] "ImagePath"="system32\DRIVERS\fdc.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk] "ImagePath"="system32\DRIVERS\flpydisk.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr] "ImagePath"="system32\DRIVERS\fltMgr.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk] "ImagePath"="system32\DRIVERS\ftdisk.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GMSIPCI] "ImagePath"="\??\G:\INSTALL\GMSIPCI.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc] "ImagePath"="system32\DRIVERS\msgpc.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hamachi] "ImagePath"="system32\DRIVERS\hamachi.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc] "ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ] "ServiceDll"="%SystemRoot%\System32\hidserv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb] "ImagePath"="system32\DRIVERS\hidusb.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP] "ImagePath"="System32\Drivers\HTTP.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter] "ServiceDll"="%SystemRoot%\System32\w3ssl.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt] "ImagePath"="system32\DRIVERS\i8042prt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT] "ImagePath"="\"J:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi] "ImagePath"="system32\DRIVERS\imapi.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService] "ImagePath"="%systemroot%\system32\imapi.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw] "ImagePath"="system32\DRIVERS\Ip6Fw.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver] "ImagePath"="system32\DRIVERS\ipfltdrv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp] "ImagePath"="system32\DRIVERS\ipinip.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat] "ImagePath"="system32\DRIVERS\ipnat.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec] "ImagePath"="system32\DRIVERS\ipsec.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM] "ImagePath"="system32\DRIVERS\irenum.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp] "ImagePath"="system32\DRIVERS\isapnp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass] "ImagePath"="system32\DRIVERS\kbdclass.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid] "ImagePath"="system32\DRIVERS\kbdhid.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer] "ImagePath"="system32\drivers\kmixer.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver] "ServiceDll"="%SystemRoot%\System32\srvsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation] "ServiceDll"="%SystemRoot%\System32\wkssvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LiveUpdate] "ImagePath"="\"J:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LiveUpdate Notice Service] "ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe\" /m \"J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts] "ServiceDll"="%SystemRoot%\System32\lmhsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarvinBus] "ImagePath"="system32\DRIVERS\MarvinBus.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger] "ServiceDll"="%SystemRoot%\System32\msgsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass] "ImagePath"="system32\DRIVERS\mouclass.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid] "ImagePath"="system32\DRIVERS\mouhid.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV] "ImagePath"="system32\DRIVERS\mrxdav.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb] "ImagePath"="system32\DRIVERS\mrxsmb.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC] "ImagePath"="J:\WINDOWS\system32\msdtc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDV] "ImagePath"="system32\DRIVERS\msdv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer] "ImagePath"="%systemroot%\system32\msiexec.exe /V" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV] "ImagePath"="system32\drivers\MSKSSRV.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK] "ImagePath"="system32\drivers\MSPCLOCK.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM] "ImagePath"="system32\drivers\MSPQM.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios] "ImagePath"="system32\DRIVERS\mssmbios.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE] "ImagePath"="system32\drivers\MSTEE.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC] "ImagePath"="system32\DRIVERS\NABTSFEC.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\navapsvc] "ImagePath"="J:\Program Files\Norton AntiVirus\navapsvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG] "ImagePath"="\??\J:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080921.003\NAVENG.Sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15] "ImagePath"="\??\J:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080921.003\NavEx15.Sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP] "ImagePath"="system32\DRIVERS\NdisIP.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi] "ImagePath"="system32\DRIVERS\ndistapi.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio] "ImagePath"="system32\DRIVERS\ndisuio.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan] "ImagePath"="system32\DRIVERS\ndiswan.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS] "ImagePath"="system32\DRIVERS\netbios.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT] "ImagePath"="system32\DRIVERS\netbt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE] "ImagePath"="%SystemRoot%\system32\netdde.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm] "ImagePath"="%SystemRoot%\system32\netdde.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon] "ImagePath"="%SystemRoot%\system32\lsass.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman] "ServiceDll"="%SystemRoot%\System32\netman.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIC1394] "ImagePath"="system32\DRIVERS\nic1394.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla] "ServiceDll"="%SystemRoot%\System32\mswsock.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NPFMntor] "ImagePath"="\"J:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSCService] "ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp] "ImagePath"="%SystemRoot%\system32\lsass.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc] "ServiceDll"="%SystemRoot%\system32\ntmssvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nTuneService] "ImagePath"="J:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nv] "ImagePath"="system32\DRIVERS\nv4_mini.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nvatabus] "ImagePath"="system32\DRIVERS\nvatabus.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nvcap] "ImagePath"="system32\DRIVERS\nvcap.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVENETFD] "ImagePath"="system32\DRIVERS\NVENETFD.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nvnetbus] "ImagePath"="system32\DRIVERS\nvnetbus.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVR0Dev] "ImagePath"="\??\J:\WINDOWS\nvoclock.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVSvc] "ImagePath"="%SystemRoot%\system32\nvsvc32.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVXBAR] "ImagePath"="system32\DRIVERS\NVxbar.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt] "ImagePath"="system32\DRIVERS\nwlnkflt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd] "ImagePath"="system32\DRIVERS\nwlnkfwd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ohci1394] "ImagePath"="system32\DRIVERS\ohci1394.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport] "ImagePath"="system32\DRIVERS\parport.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI] "ImagePath"="system32\DRIVERS\pci.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde] "ImagePath"="system32\DRIVERS\pciide.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCLEPCI] "ImagePath"="\??\J:\WINDOWS\system32\drivers\pclepci.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay] "ImagePath"="%SystemRoot%\system32\services.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pnp680] "ImagePath"="system32\DRIVERS\pnp680.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent] "ImagePath"="%SystemRoot%\system32\lsass.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport] "ImagePath"="system32\DRIVERS\raspptp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Processor] "ImagePath"="system32\DRIVERS\processr.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\prodrv06] "ImagePath"="\SystemRoot\System32\drivers\prodrv06.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\prohlp02] "ImagePath"="System32\drivers\prohlp02.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\prosync1] "ImagePath"="System32\drivers\prosync1.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage] "ImagePath"="%SystemRoot%\system32\lsass.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched] "ImagePath"="system32\DRIVERS\psched.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink] "ImagePath"="system32\DRIVERS\ptilink.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20] "ImagePath"="System32\Drivers\PxHelp20.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd] "ImagePath"="system32\DRIVERS\rasacd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto] "ServiceDll"="%SystemRoot%\System32\rasauto.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp] "ImagePath"="system32\DRIVERS\rasl2tp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan] "ServiceDll"="%SystemRoot%\System32\rasmans.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe] "ImagePath"="system32\DRIVERS\raspppoe.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti] "ImagePath"="system32\DRIVERS\raspti.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss] "ImagePath"="system32\DRIVERS\rdbss.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD] "ImagePath"="System32\DRIVERS\RDPCDD.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr] "ImagePath"="system32\DRIVERS\rdpdr.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr] "ImagePath"="J:\WINDOWS\system32\sessmgr.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook] "ImagePath"="system32\DRIVERS\redbook.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess] "ServiceDll"="%SystemRoot%\System32\mprdim.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry] "ServiceDll"="%SystemRoot%\system32\regsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RivaTunerEx] "ImagePath"="\??\L:\Program Filer\Riva Tuner\RivaTunerEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator] "ImagePath"="%SystemRoot%\system32\locator.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs] "ServiceDll"="%SystemRoot%\System32\rpcss.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP] "ImagePath"="%SystemRoot%\system32\rsvp.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs] "ImagePath"="%SystemRoot%\system32\lsass.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT] "ImagePath"="\??\J:\Program Files\Norton AntiVirus\SAVRT.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRTPEL] "ImagePath"="\??\J:\Program Files\Norton AntiVirus\SAVRTPEL.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVScan] "ImagePath"="\"J:\Program Files\Norton AntiVirus\SAVScan.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr] "ImagePath"="%SystemRoot%\System32\SCardSvr.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule] "ServiceDll"="%SystemRoot%\system32\schedsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv] "ImagePath"="system32\DRIVERS\secdrv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon] "ServiceDll"="%SystemRoot%\System32\seclogon.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS] "ServiceDll"="%SystemRoot%\system32\sens.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum] "ImagePath"="system32\DRIVERS\serenum.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial] "ImagePath"="system32\DRIVERS\serial.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfdrv01] "ImagePath"="System32\drivers\sfdrv01.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfhlp01] "ImagePath"="System32\drivers\sfhlp01.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfhlp02] "ImagePath"="System32\drivers\sfhlp02.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfsync04] "ImagePath"="System32\drivers\sfsync04.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sfvfs02] "ImagePath"="System32\drivers\sfvfs02.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess] "ServiceDll"="%SystemRoot%\System32\ipnathlp.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection] "ServiceDll"="%SystemRoot%\System32\shsvcs.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLIP] "ImagePath"="system32\DRIVERS\SLIP.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc] "ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\snpstd] "ImagePath"="system32\DRIVERS\snpstd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPBBCDrv] "ImagePath"="\??\J:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPBBCSvc] "ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter] "ImagePath"="system32\drivers\splitter.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler] "ImagePath"="%SystemRoot%\system32\spoolsv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sptd] "ImagePath"="System32\Drivers\sptd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sr] "ImagePath"="system32\DRIVERS\sr.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice] "ServiceDll"="J:\WINDOWS\system32\srsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv] "ImagePath"="system32\DRIVERS\srv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV] "ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc] "ServiceDll"="%SystemRoot%\system32\wiaservc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\streamip] "ImagePath"="system32\DRIVERS\StreamIP.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum] "ImagePath"="system32\DRIVERS\swenum.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi] "ImagePath"="system32\drivers\swmidi.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv] "ImagePath"="J:\WINDOWS\system32\dllhost.exe /Processid:{43C1B264-055C-45A5-88BF-AF4D361BA3CF}" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Symantec Core LC] "ImagePath"="\"J:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMDNS] "ImagePath"="\SystemRoot\System32\Drivers\SYMDNS.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymEvent] "ImagePath"="\??\J:\WINDOWS\system32\Drivers\SYMEVENT.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMFW] "ImagePath"="\SystemRoot\System32\Drivers\SYMFW.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMIDS] "ImagePath"="\SystemRoot\System32\Drivers\SYMIDS.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMIDSCO] "ImagePath"="\??\J:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20080221.002\symidsco.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symlcbrd] "ImagePath"="\??\J:\WINDOWS\system32\drivers\symlcbrd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMNDIS] "ImagePath"="\SystemRoot\System32\Drivers\SYMNDIS.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMREDRV] "ImagePath"="\SystemRoot\System32\Drivers\SYMREDRV.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI] "ImagePath"="\SystemRoot\System32\Drivers\SYMTDI.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio] "ImagePath"="system32\drivers\sysaudio.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog] "ImagePath"="%SystemRoot%\system32\smlogsvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysTool] "ImagePath"="system32\DRIVERS\SysTool.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv] "ServiceDll"="%SystemRoot%\System32\tapisrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip] "ImagePath"="system32\DRIVERS\tcpip.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD] "ImagePath"="system32\DRIVERS\termdd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService] "ServiceDll"="%SystemRoot%\System32\termsrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes] "ServiceDll"="%SystemRoot%\System32\shsvcs.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr] "ImagePath"="J:\WINDOWS\system32\tlntsvr.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks] "ServiceDll"="%SystemRoot%\system32\trkwks.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UMWdf] "ImagePath"="J:\WINDOWS\system32\wdfmgr.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update] "ImagePath"="system32\DRIVERS\update.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost] "ServiceDll"="%SystemRoot%\System32\upnphost.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS] "ImagePath"="%SystemRoot%\System32\ups.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp] "ImagePath"="system32\DRIVERS\usbccgp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci] "ImagePath"="system32\DRIVERS\usbehci.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub] "ImagePath"="system32\DRIVERS\usbhub.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbohci] "ImagePath"="system32\DRIVERS\usbohci.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint] "ImagePath"="system32\DRIVERS\usbprint.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan] "ImagePath"="system32\DRIVERS\usbscan.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR] "ImagePath"="system32\DRIVERS\USBSTOR.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usnjsvc] "ImagePath"="\"J:\Program Files\MSN Messenger\usnsvc.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UxTuneUp] "ServiceDll"="%SystemRoot%\System32\uxtuneup.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave] "ImagePath"="\SystemRoot\System32\drivers\vga.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS] "ImagePath"="%SystemRoot%\System32\vssvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time] "ServiceDll"="%systemroot%\system32\w32time.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp] "ImagePath"="system32\DRIVERS\wanarp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud] "ImagePath"="system32\drivers\wdmaud.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDMCAPI] "ImagePath"="system32\DRIVERS\WDMCAPI.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDMWANMP] "ImagePath"="system32\DRIVERS\wdmwanmp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient] "ServiceDll"="%SystemRoot%\System32\webclnt.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt] "ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN] "ServiceDll"="J:\WINDOWS\system32\mspmsnsv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi] "ServiceDll"="%SystemRoot%\System32\advapi32.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv] "ImagePath"="J:\WINDOWS\system32\wbem\wmiapsrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL] "ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSTCODEC] "ImagePath"="system32\DRIVERS\WSTCODEC.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv] "ServiceDll"="J:\WINDOWS\system32\wuauserv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC] "ServiceDll"="%SystemRoot%\System32\wzcsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov] "ServiceDll"="%SystemRoot%\System32\xmlprov.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{328C3FD6-1DD5-42DC-8F82-B35B0A61A5BE}] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{765599F0-9710-4F28-BBC3-8A262E5B608E}] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{7684FE3B-C811-488D-BEE9-FA573F6414FB}] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DB47941E-2520-466D-966E-599EE90F5D0E}] . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: J:\WINDOWS\system32\lsass.exe -> J:\Program Files\NetLimiter\nl_lsp.dll -> J:\WINDOWS\system32\nl_msgc.dll . ------------------------ Other Running Processes ------------------------ . J:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE J:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE J:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe J:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe J:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe J:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe J:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE J:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe J:\WINDOWS\system32\nvsvc32.exe J:\WINDOWS\system32\rundll32.exe J:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE . ************************************************************************** . Completion time: 2008-09-22 1:19:06 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-21 23:19:03 Pre-Run: 158 339 072 bytes free Post-Run: 12,075,008 bytes free 908 --- E O F --- 2008-03-24 13:33:01> HiJack-this: Klikk for å se/fjerne innholdet nedenfor <Logfile of Trend Micro HijackThis v2.0.2Scan saved at 01:25:44, on 22.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: J:\WINDOWS\System32\smss.exe J:\WINDOWS\system32\winlogon.exe J:\WINDOWS\system32\services.exe J:\WINDOWS\system32\lsass.exe J:\WINDOWS\system32\svchost.exe J:\WINDOWS\System32\svchost.exe J:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe J:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe J:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe J:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe J:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe J:\WINDOWS\system32\spoolsv.exe J:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe J:\Program Files\Norton AntiVirus\navapsvc.exe J:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe J:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe J:\WINDOWS\system32\nvsvc32.exe J:\WINDOWS\system32\svchost.exe J:\WINDOWS\SOUNDMAN.EXE J:\WINDOWS\system32\RUNDLL32.EXE J:\Program Files\Winamp\winampa.exe J:\WINDOWS\vsnpstd.exe J:\Program Files\CyberLink\PowerDVD\PDVDServ.exe J:\Program Files\Common Files\Symantec Shared\ccApp.exe J:\Program Files\QuickTime\qttask.exe J:\Program Files\DAEMON Tools\daemon.exe J:\WINDOWS\system32\ctfmon.exe J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe J:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE J:\WINDOWS\explorer.exe J:\WINDOWS\system32\notepad.exe J:\Program Files\Mozilla Firefox\firefox.exe J:\Documents and Settings\Administrator\Desktop\Testttt\testttt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - J:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - J:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - J:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE J:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [WinampAgent] J:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [snpstd] J:\WINDOWS\vsnpstd.exe O4 - HKLM\..\Run: [RemoteControl] "J:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [ccApp] "J:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NeroFilterCheck] J:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] J:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [KillCopy] J:\Program Files\KillSoft\KillCopy\kcresume.exe /startup O4 - HKLM\..\Run: [QuickTime Task] "J:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DAEMON Tools] "J:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NVIDIA nTune] "J:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKLM\..\Run: [amd_dc_opt] J:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [symantec PIF AlertEng] "J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TaskSwitchXP] J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] J:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user') O4 - Startup: Adobe Gamma.lnk = J:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: PowerReg Scheduler V3.exe O14 - IERESET.INF: START_PAGE_URL=http://www.c2i.net/ O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - J:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: tqoghn.dll O23 - Service: Adobe LM Service - Adobe Systems - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - J:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Indexing Service (CiSvc) - Unknown owner - J:\WINDOWS\system32\cisvc.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - J:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - J:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - J:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - J:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: nTune Service (nTuneService) - NVIDIA - J:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - J:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - J:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 8174 bytes> edit: Hva bør jeg nå gjøre? Innstallere nytt antivirus-prog? Har jo bare norton 2006 og avg free. Bør jeg ha på windows brannmur? Endret 21. september 2008 av glimpze Lenke til kommentar
r2d290 Skrevet 22. september 2008 Del Skrevet 22. september 2008 Det du kan gjøre er: Last ned Vundofix til skrivebordet Dobbeltklikk på Vundufix.exe Klikk på Scan for Vundo-knappen Klikk på Remove Vundo-knappen Svar ja og ok på de vinduene som kommer Det lages en logg (C:\vundofix.txt) som du poster senere. Lag deretter en ny combofix-logg, og post denne sammen med vundofix-loggen Lenke til kommentar
glimpze Skrevet 22. september 2008 Forfatter Del Skrevet 22. september 2008 (endret) Det du kan gjøre er:Last ned Vundofix til skrivebordet Dobbeltklikk på Vundufix.exe Klikk på Scan for Vundo-knappen Klikk på Remove Vundo-knappen Svar ja og ok på de vinduene som kommer Det lages en logg (C:\vundofix.txt) som du poster senere. Lag deretter en ny combofix-logg, og post denne sammen med vundofix-loggen Dette har jeg gjort og her kommet loggene: VunduFix: Klikk for å se/fjerne innholdet nedenfor <VundoFix V7.0.6 Scan started at 22:29:16 22.09.2008 Listing files found while scanning.... J:\Windows\system32\lhbobpwp.dll J:\Windows\system32\phrltvbk.dll Beginning removal... Attempting to delete J:\Windows\system32\lhbobpwp.dll J:\Windows\system32\lhbobpwp.dll Has been deleted! Attempting to delete J:\Windows\system32\phrltvbk.dll J:\Windows\system32\phrltvbk.dll Has been deleted! Performing Repairs to the registry. Done!> Når jeg kopierer inn ComboFix loggen blir bare posten min helt blank, som den over. Både inni skjul og om jeg bare kopierer den inn rett her. Hva er galt? Endret 22. september 2008 av glimpze Lenke til kommentar
r2d290 Skrevet 22. september 2008 Del Skrevet 22. september 2008 www.pastebin.no Kopier den inn der, og legg linken inn på forumet Lenke til kommentar
glimpze Skrevet 22. september 2008 Forfatter Del Skrevet 22. september 2008 www.pastebin.no Kopier den inn der, og legg linken inn på forumet ComboFix logg 2: http://www.pastebin.no/35444 Lenke til kommentar
norbat Skrevet 22. september 2008 Del Skrevet 22. september 2008 (endret) Åpne notisblokk og kopier inn det som står i fet skrift under. Lagre fila på skrivebordet som CFScript.txt Dra fila og slipp den over Combofix-iconet. Combofix vil starte igjen: killall:: snapshot:: File:: J:\WINDOWS\system32\jjjlm.ini2 J:\WINDOWS\system32\ugllnrob.ini J:\WINDOWS\system32\cbnqwbap.ini J:\WINDOWS\system32\rfvahswv.ini J:\WINDOWS\system32\sgdtkdsi.ini J:\WINDOWS\system32\oxjmxidm.ini J:\WINDOWS\system32\ssndrmeg.ini J:\WINDOWS\system32\ogujxwgb.ini J:\WINDOWS\system32\sdvbortn.ini J:\WINDOWS\system32\syrpagqc.ini J:\WINDOWS\system32\pcrmwchh.ini J:\WINDOWS\system32\blhsqygd.ini J:\WINDOWS\system32\hlpossno.ini J:\WINDOWS\system32\tveysnxi.ini J:\WINDOWS\system32\uwnjrntw.ini J:\WINDOWS\system32\otmpimul.ini J:\WINDOWS\system32\kjllm.ini2 J:\WINDOWS\system32\oqtss.ini2 J:\WINDOWS\system32\orutv.ini2 J:\WINDOWS\system32\drivers\wxmaycbn.dat Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=- Post loggen Endret 22. september 2008 av norbat Lenke til kommentar
glimpze Skrevet 22. september 2008 Forfatter Del Skrevet 22. september 2008 Gjorde som du sa norbat, her er ComboFix logg 3: Klikk for å se/fjerne innholdet nedenfor <ComboFix 08-09-20.05 - Administrator 2008-09-23 1:10:36.3 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1651 [GMT 2:00] Running from: J:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: J:\Documents and Settings\Administrator\Desktop\CFScript.txt * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: J:\WINDOWS\system32\blhsqygd.ini J:\WINDOWS\system32\cbnqwbap.ini J:\WINDOWS\system32\drivers\wxmaycbn.dat J:\WINDOWS\system32\hlpossno.ini J:\WINDOWS\system32\jjjlm.ini2 J:\WINDOWS\system32\kjllm.ini2 J:\WINDOWS\system32\ogujxwgb.ini J:\WINDOWS\system32\oqtss.ini2 J:\WINDOWS\system32\orutv.ini2 J:\WINDOWS\system32\otmpimul.ini J:\WINDOWS\system32\oxjmxidm.ini J:\WINDOWS\system32\pcrmwchh.ini J:\WINDOWS\system32\rfvahswv.ini J:\WINDOWS\system32\sdvbortn.ini J:\WINDOWS\system32\sgdtkdsi.ini J:\WINDOWS\system32\ssndrmeg.ini J:\WINDOWS\system32\syrpagqc.ini J:\WINDOWS\system32\tveysnxi.ini J:\WINDOWS\system32\ugllnrob.ini J:\WINDOWS\system32\uwnjrntw.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . J:\WINDOWS\system32\blhsqygd.ini J:\WINDOWS\system32\cbnqwbap.ini J:\WINDOWS\system32\drivers\wxmaycbn.dat J:\WINDOWS\system32\hlpossno.ini J:\WINDOWS\system32\jjjlm.ini2 J:\WINDOWS\system32\kjllm.ini2 J:\WINDOWS\system32\ogujxwgb.ini J:\WINDOWS\system32\oqtss.ini2 J:\WINDOWS\system32\orutv.ini2 J:\WINDOWS\system32\otmpimul.ini J:\WINDOWS\system32\oxjmxidm.ini J:\WINDOWS\system32\pcrmwchh.ini J:\WINDOWS\system32\rfvahswv.ini J:\WINDOWS\system32\sdvbortn.ini J:\WINDOWS\system32\sgdtkdsi.ini J:\WINDOWS\system32\ssndrmeg.ini J:\WINDOWS\system32\syrpagqc.ini J:\WINDOWS\system32\tveysnxi.ini J:\WINDOWS\system32\ugllnrob.ini J:\WINDOWS\system32\uwnjrntw.ini . ((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 ))))))))))))))))))))))))))))))) . 2008-09-22 23:15 . 2008-09-22 23:15 <DIR> d-------- J:\WINDOWS\LastGood.Tmp 2008-09-22 23:15 . 2008-09-22 23:15 <DIR> d-------- J:\Program Files\ESET 2008-09-22 22:40 . 2008-09-22 22:40 24,576 --a------ J:\WINDOWS\system32\VundoFixSVC.exe 2008-09-22 22:29 . 2008-09-22 22:41 <DIR> d-------- J:\VundoFix Backups 2008-09-22 21:10 . 2008-09-22 21:13 <DIR> d-------- J:\WINDOWS\system32\CatRoot_bak 2008-09-22 02:02 . 2008-06-13 15:10 272,128 --------- J:\WINDOWS\system32\drivers\bthport.sys 2008-09-22 02:02 . 2008-06-13 15:10 272,128 -----c--- J:\WINDOWS\system32\dllcache\bthport.sys 2008-09-22 01:55 . 2008-09-22 03:02 1,374 --a------ J:\WINDOWS\imsins.BAK 2008-09-22 00:38 . 2008-06-23 18:57 6,066,176 -----c--- J:\WINDOWS\system32\dllcache\ieframe.dll 2008-09-22 00:38 . 2007-04-17 11:32 2,455,488 -----c--- J:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-09-22 00:38 . 2007-03-08 07:10 991,232 -----c--- J:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-09-22 00:38 . 2008-06-23 18:57 459,264 -----c--- J:\WINDOWS\system32\dllcache\msfeeds.dll 2008-09-22 00:38 . 2008-06-23 18:57 383,488 -----c--- J:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-09-22 00:38 . 2008-05-01 16:30 331,776 -----c--- J:\WINDOWS\system32\dllcache\msadce.dll 2008-09-22 00:38 . 2008-06-23 18:57 267,776 -----c--- J:\WINDOWS\system32\dllcache\iertutil.dll 2008-09-22 00:38 . 2008-06-23 18:57 63,488 -----c--- J:\WINDOWS\system32\dllcache\icardie.dll 2008-09-22 00:38 . 2008-06-23 18:57 52,224 -----c--- J:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-09-22 00:38 . 2008-06-23 11:20 13,824 -----c--- J:\WINDOWS\system32\dllcache\ieudinit.exe 2008-09-21 23:45 . 2008-09-21 23:45 <DIR> d-------- J:\Program Files\Malwarebytes' Anti-Malware 2008-09-21 23:45 . 2008-09-21 23:45 <DIR> d-------- J:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-21 23:45 . 2008-09-21 23:45 <DIR> d-------- J:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-09-21 23:45 . 2008-09-10 00:04 38,528 --a------ J:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-21 23:45 . 2008-09-10 00:03 17,200 --a------ J:\WINDOWS\system32\drivers\mbam.sys 2008-09-15 00:22 . 2008-09-15 00:22 <DIR> d-------- J:\Documents and Settings\All Users\Application Data\ESET 2008-09-06 17:48 . 2008-09-06 17:55 <DIR> d-------- J:\Documents and Settings\All Users\Application Data\TrackMania 2008-08-29 01:24 . 2008-08-29 01:24 54,156 --ah----- J:\WINDOWS\QTFont.qfn 2008-08-29 01:24 . 2008-08-29 01:24 1,409 --a------ J:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-22 20:42 --------- d-----w J:\Program Files\Common Files\Symantec Shared 2008-09-22 20:42 --------- d-----w J:\Documents and Settings\All Users\Application Data\Symantec 2008-09-22 20:42 --------- d-----w J:\Documents and Settings\Administrator\Application Data\Symantec 2008-09-22 20:32 --------- d-----w J:\Program Files\Symantec 2008-09-22 00:29 --------- d-----w J:\Documents and Settings\All Users\Application Data\avg7 2008-09-22 00:28 --------- d-----w J:\Program Files\mIRC 2008-09-22 00:08 --------- d-----w J:\Program Files\Mozilla Thunderbird 2008-09-21 21:44 --------- d-----w J:\Program Files\CCleaner 2008-09-15 07:42 --------- d-----w J:\Program Files\DAEMON Tools 2008-09-15 06:00 --------- d-----w J:\Documents and Settings\LocalService\Application Data\AVG7 2008-09-14 22:21 --------- d-----w J:\Program Files\audiograbber 2008-09-03 22:36 --------- d-----w J:\Program Files\Winamp 2008-08-29 00:12 --------- d-----w J:\Program Files\DC++ 2008-08-28 17:34 --------- d-----w J:\Documents and Settings\Administrator\Application Data\AVG7 2008-08-27 23:12 --------- d-----w J:\Documents and Settings\Administrator\Application Data\uTorrent . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="J:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360] "TaskSwitchXP"="J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="J:\WINDOWS\system32\NvCpl.dll" [2005-10-10 7286784] "NvMediaCenter"="J:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 86016] "WinampAgent"="J:\Program Files\Winamp\winampa.exe" [2005-12-09 35328] "snpstd"="J:\WINDOWS\vsnpstd.exe" [2003-12-31 40960] "RemoteControl"="J:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "NeroFilterCheck"="J:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "PinnacleDriverCheck"="J:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 406016] "KillCopy"="J:\Program Files\KillSoft\KillCopy\kcresume.exe" [2006-08-07 295424] "QuickTime Task"="J:\Program Files\QuickTime\qttask.exe" [2006-10-17 98304] "DAEMON Tools"="J:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592] "NVIDIA nTune"="J:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2006-10-31 81920] "amd_dc_opt"="J:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824] "Symantec PIF AlertEng"="J:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "egui"="J:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 J:\WINDOWS\SOUNDMAN.EXE] "nwiz"="nwiz.exe" [2005-10-10 J:\WINDOWS\system32\nwiz.exe] "Resume copy"="copyfstq.exe" [2002-03-24 J:\WINDOWS\COPYFSTQ.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="J:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 15360] "TaskSwitchXP"="J:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952] "DWQueuedReporting"="J:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nlsf"="move" [X] "nlhr"="J:\WINDOWS\System32\AdvPack.Dll" [2008-06-23 124928] "tscuninstall"="J:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 44544] J:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Adobe Gamma.lnk - J:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] PowerReg Scheduler V3.exe [2006-07-21 225280] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoDesktopCleanupWizard"= 1 (0x1) "ForceClassicControlPanel"= 1 (0x1) "MemCheckBoxInRunDlg"= 1 (0x1) "DisableCAD"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoInstrumentation"= 1 (0x1) "NoSMHelp"= 1 (0x1) "DisableCAD"= 0 (0x0) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoInstrumentation"= 1 (0x1) "NoSMHelp"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.DIV3"= J:\PROGRA~1\K-LITE~1\codecs\DivXc32.dll "VIDC.DIV4"= J:\PROGRA~1\K-LITE~1\codecs\DivXc32f.dll "VIDC.3iv2"= J:\PROGRA~1\K-LITE~1\codecs\3IVXVF~1.DLL "VIDC.HFYU"= J:\PROGRA~1\K-LITE~1\codecs\huffyuv.dll "vidc.i263"= i263_32.drv "VIDC.VP70"= J:\PROGRA~1\K-LITE~1\codecs\vp7vfw.dll "VIDC.VP31"= J:\PROGRA~1\K-LITE~1\codecs\vp31vfw.dll "VIDC.MP43"= J:\PROGRA~1\K-LITE~1\codecs\Mpg4c32.dll "VIDC.FFDS"= J:\PROGRA~1\K-LITE~1\ffdshow\ff_vfw.dll "msacm.ac3acm"= J:\PROGRA~1\K-LITE~1\codecs\ac3acm.acm "msacm.lameacm"= J:\PROGRA~1\K-LITE~1\codecs\lameACM.acm "msacm.l3fhg"= J:\PROGRA~1\K-LITE~1\codecs\l3codecp.acm "msacm.divxa32"= J:\PROGRA~1\K-LITE~1\codecs\divxa32.acm "msacm.imc"= imc32.acm "VIDC.MJPG"= Pvmjpg30.dll "VIDC.PIM1"= pclepim1.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "K:\\Spill\\Battlefield 2\\BF2.exe"= "J:\\Program Files\\BitComet\\BitComet.exe"= "J:\\Program Files\\LimeWire\\LimeWire.exe"= "J:\\Program Files\\Valve\\hl.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\counter-strike\\hl.exe"= "J:\\Program Files\\mIRC\\mirc.exe"= "J:\\Program Files\\DC++\\DCPlusPlus.exe"= "J:\\Program Files\\Azureus\\Azureus.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\half-life 2 deathmatch\\hl2.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\counter-strike source\\hl2.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\half-life\\hl.exe"= "K:\\Spill\\Need For Speed Most Wanted\\speed.exe"= "C:\\Innstallere\\aoe2 on 85.19.151.132\\age2_x1.exe"= "\\\\prestjord\\aoe2 on 85.19.151.132\\age2_x1.exe"= "J:\\WINDOWS\\system32\\dplaysvr.exe"= "K:\\Spill\\Call Of Duty 2\\CoD2MP_s.exe"= "J:\\WINDOWS\\system32\\dpvsetup.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\team fortress classic\\hl.exe"= "E:\\FRA 80 GB\\Spill\\-=Red Alert 2=-\\GAME.EXE"= "J:\\Program Files\\FlashFXP\\flashfxp.exe"= "C:\\Spill\\Quake 4\\Quake4.exe"= "C:\\Spill\\TrackMania Nations ESWC\\TmNationsESWC.exe"= "J:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"= "J:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"= "J:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"= "J:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"= "J:\\WINDOWS\\system32\\dxdiag.exe"= "J:\\WINDOWS\\system32\\dpnsvr.exe"= "Q:\\Spill\\cs 1.6\\hl.exe"= "Q:\\Spill\\Generals\\game.dat"= "Q:\\Spill\\Generals Zero Hour\\game.dat"= "K:\\Spill\\Age Of Empires 3\\age3.exe"= "Q:\\Spill\\Colin McRae 04\\cmr4.exe"= "C:0\\Spill\\The Lord Of The Rings - The Battle For Middle Earth 2\\game.dat"= "C:4\\Spill\\MotoGP2\\motogp2.exe"= "C:\\Spill\\cs 1.6\\hl.exe"= "C:0\\Spill\\Act Of War\\ACTOFWAR.EXE"= "C:0\\Spill\\The First Decade\\Command & Conquer Generals Zero Hour\\generals.exe"= "J:\\Program Files\\uTorrent\\utorrent.exe"= "C:0\\Spill\\Serious Sam - The Second Encounter\\Bin\\SeriousSam.exe"= "C:0\\Spill\\Worms Forts Under Siege\\WF.exe"= "E:\\FRA 80 GB\\Spill\\Unreal Tournament\\System\\UnrealTournament.exe"= "J:\\Program Files\\WebEye\\WebEye.exe"= "C:0\\Spill\\Worms 2\\frontend.exe"= "C:0\\Spill\\Worms_2\\worms2.exe"= "\\\\paul\\Upload\\worms2.exe"= "K:\\Spill\\Steam\\SteamApps\\[email protected]\\garrysmod\\hl2.exe"= "J:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:0\\Spill\\Outrun 2006 - Coast To Coast\\OR2006C2C.EXE"= "J:\\Program Files\\Skype\\Phone\\Skype.exe"= "J:\\Program Files\\Hamachi\\hamachi.exe"= "J:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "J:\\Program Files\\MSN Messenger\\livecall.exe"= "C:7\\Spill\\Company Of Heroes - Opposing Force\\RelicCOH.exe"= "C:7\\Spill\\ISO\\FlatOut2 på bernt\\FlatOut2.exe"= "R:\\Spill\\C&C3 Tiberium Wars\\RetailExe\\1.0\\cnc3game.dat"= "C:6\\Spill\\Company Of Heroes\\RelicCOH.exe"= "C:6\\Spill\\FlatOut2\\FlatOut2.exe"= "C:0\\Spill\\TmNationsForever\\TmForever.exe"= "C:0\\Spill\\TmUnitedForever\\TmForever.exe"= R0 Pnp680;SiI 680 ATA Controller;J:\WINDOWS\system32\DRIVERS\pnp680.sys [2002-03-15 37031] R0 WDMCAPI;ISDN PCI CAPI;J:\WINDOWS\system32\DRIVERS\WDMCAPI.sys [2002-04-24 612669] R1 epfwtdir;epfwtdir;J:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312] R2 UxTuneUp;TuneUp Design Expansion;J:\WINDOWS\System32\svchost.exe [2004-08-03 14336] R3 WDMWANMP;NDIS WAN miniport;J:\WINDOWS\system32\DRIVERS\wdmwanmp.sys [2002-03-26 26067] S1 SysTool;SysTool Overclocking Utility;J:\WINDOWS\system32\DRIVERS\SysTool.sys [2005-09-26 24064] S3 RivaTunerEx;RivaTunerEx;L:\Program Filer\Riva Tuner\RivaTunerEx.sys [2004-10-04 2560] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\autorun.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P] \Shell\AutoRun\command - P:\Launch.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebe9a054-6b1d-11da-98d7-806d6172696f}] \Shell\AutoRun\command - G:\POV.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-23 01:14:05 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: J:\WINDOWS\system32\lsass.exe -> J:\Program Files\NetLimiter\nl_lsp.dll -> J:\WINDOWS\system32\nl_msgc.dll . ------------------------ Other Running Processes ------------------------ . J:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe J:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe J:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe J:\WINDOWS\system32\nvsvc32.exe J:\WINDOWS\system32\rundll32.exe J:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\update\update.exe . ************************************************************************** . Completion time: 2008-09-23 1:17:40 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-22 23:17:35 ComboFix2.txt 2008-09-22 20:47:45 ComboFix3.txt 2008-09-21 23:19:07 Pre-Run: 169 787 392 bytes free Post-Run: 138,674,176 bytes free 287 --- E O F --- 2008-09-22 01:02:59 > Lenke til kommentar
norbat Skrevet 23. september 2008 Del Skrevet 23. september 2008 Da ser loggen fin ut. KJører pc'n ok? Det kan være greit å fjerne combofix. Det gjør du ved å skrive combofix /u i kjør-feltet (start->kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Behold gjerne MBAM. Lenke til kommentar
r2d290 Skrevet 23. september 2008 Del Skrevet 23. september 2008 Dersom du mener at problemet med maskinen din er løst, kan du endre emnetittelen din, ved å trykke på i førsteposten din, og velge full endring. Øverst der emnetittelen din er, skriver du: [LØST] foran emnetittelen din. Eks: [LØST] Har fått virus på maskinen Dette vil være med på å holde forumet mer oversiktlig for supporterne, samt at nye folk som får samme problemet lettere vil finne en passende tråd å se i. -Surf trygt- Lenke til kommentar
glimpze Skrevet 23. september 2008 Forfatter Del Skrevet 23. september 2008 pcen kjører greit ja! la inn nod 32 antivirus, ting ser ut som dem går som dem skal nå :-) men windows automatic update vil gjerne legge inn "windows malicious software removal tool"...er dette legitimt? Lenke til kommentar
norbat Skrevet 23. september 2008 Del Skrevet 23. september 2008 Ja, la bare windows update oppdater. Combofix kan fjernes ved å skrive combofix /u i kjør-feltet (start->kjør). Dette vil også nullstille systemgjenopprettingen slik at du ikke blir infisert ved en evt. gjenoppretting senere. Surf trygt Lenke til kommentar
glimpze Skrevet 23. september 2008 Forfatter Del Skrevet 23. september 2008 Takk for hjelpa Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå